gitlab-org--gitlab-foss/app/controllers/groups/application_controller.rb

class Groups::ApplicationController < ApplicationController
  include RoutableActions
  include ControllerWithCrossProjectAccessCheck

  layout 'group'

  skip_before_action :authenticate_user!
  before_action :group
  requires_cross_project_access

  private

  def group
    @group ||= find_routable!(Group, params[:group_id] || params[:id])
  end

  def group_projects
    @projects ||= GroupProjectsFinder.new(group: group, current_user: current_user).execute
  end

  def authorize_admin_group!
    unless can?(current_user, :admin_group, group)
      return render_404
    end
  end

  def authorize_admin_group_member!
    unless can?(current_user, :admin_group_member, group)
      return render_403
    end
  end

  def build_canonical_path(group)
    params[:group_id] = group.to_param

    url_for(safe_params)
  end
end
group controller refactoring 2015-03-12 11:08:48 -04:00			`class Groups::ApplicationController < ApplicationController`
Redirect from redirect routes to canonical routes 2017-05-01 16:46:30 -04:00			`include RoutableActions`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`include ControllerWithCrossProjectAccessCheck`
Redirect from redirect routes to canonical routes 2017-05-01 16:46:30 -04:00
Add helpers for header title and sidebar, and move setting those from controllers to layouts. 2015-05-01 04:39:11 -04:00			`layout 'group'`
Tweaks, refactoring, and specs 2016-03-20 16:03:53 -04:00
			`skip_before_action :authenticate_user!`
Refactor global and group milestones logic Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-11-13 13:20:48 -05:00			`before_action :group`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`requires_cross_project_access`
group controller refactoring 2015-03-12 11:08:48 -04:00
			`private`
Refactor global and group milestones logic Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-11-13 13:20:48 -05:00
			`def group`
Resolve discussions 2017-05-04 20:06:01 -04:00			`@group \|\|= find_routable!(Group, params[:group_id] \|\| params[:id])`
Tweaks, refactoring, and specs 2016-03-20 16:03:53 -04:00			`end`

			`def group_projects`
ProjectsFinder should handle more options Extended ProjectFinder in order to handle the following options: - current_user - which user use - project_ids_relation: int[] - project ids to use - params: - trending: boolean - non_public: boolean - starred: boolean - sort: string - visibility_level: int - tags: string[] - personal: boolean - search: string - non_archived: boolean GroupProjectsFinder now inherits from ProjectsFinder. Changed the code in order to use the new available options. 2017-03-03 05:35:04 -05:00			`@projects \|\|= GroupProjectsFinder.new(group: group, current_user: current_user).execute`
Move group members index from `/members` to `/group_members`. 2015-03-13 11:27:51 -04:00			`end`
Refactor global and group milestones logic Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-11-13 13:20:48 -05:00
group controller refactoring 2015-03-12 11:08:48 -04:00			`def authorize_admin_group!`
Rename manage_group ability to admin_group for consistency with project. 2015-04-10 08:39:10 -04:00			`unless can?(current_user, :admin_group, group)`
group controller refactoring 2015-03-12 11:08:48 -04:00			`return render_404`
			`end`
			`end`
Refactor global and group milestones logic Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-11-13 13:20:48 -05:00
Use before_actions 2015-07-31 08:15:49 -04:00			`def authorize_admin_group_member!`
			`unless can?(current_user, :admin_group_member, group)`
			`return render_403`
			`end`
			`end`
Refactor to more robust implementation In order to avoid string manipulation or modify route params (to make them unambiguous for `url_for`), we are accepting a behavior change: When being redirected to the canonical path for a group, if you requested a group show path starting with `/groups/…` then you’ll now be redirected to the group at root `/…`. 2017-05-18 19:23:05 -04:00
			`def build_canonical_path(group)`
			`params[:group_id] = group.to_param`
Enable Layout/TrailingWhitespace cop and auto-correct offenses 2017-08-15 13:44:37 -04:00
[Rails5] Use `safe_params` instead of `params` in `url_for` helpers This commits replaces `params` with `safe_params` in `url_for` helpers to resolve security issues [1] and failing specs with the ``` ArgumentError: Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure. ``` error. [1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168 2018-04-28 06:35:16 -04:00			`url_for(safe_params)`
Refactor to more robust implementation In order to avoid string manipulation or modify route params (to make them unambiguous for `url_for`), we are accepting a behavior change: When being redirected to the canonical path for a group, if you requested a group show path starting with `/groups/…` then you’ll now be redirected to the group at root `/…`. 2017-05-18 19:23:05 -04:00			`end`
group controller refactoring 2015-03-12 11:08:48 -04:00			`end`